How an Outdated Network Could Make Two-Factor SMS Worthless

An SS7 hack could destroy SMS security and making stalking the easiest thing in the world.

Getty ImagesAlexander Ryumin

By
David Grossman

Relying on an obscure yet vital communications system, researchers have been able to demonstrate the chaos hackers could wreak by infiltrating SMS messaging and rendering many two-factory security systems worthless.

You might be unfamiliar with Signaling System Number 7 (SS7), referred to in North America as the Common Channel Signaling System 7. Signaling here refers to the exchange of information between call components required to provide and maintain service. SS7, developed in 1975, is typically used by telecoms to determine when someone is roaming, and allows for transfers of information including texts and billing.

Advertisement - Continue Reading Below

If hackers gained access to SS7 networks, they could turn two-step SMS verification, an otherwise crucial security mechanism, into a playground. White hat hackers from Positive Technologies show in this video how quickly it could happen, using a bitcoin wallet as an example.

"This hack would work for any resource—real currency or virtual currency—that uses SMS for password recovery," says Positive researcher Dmitry Kurbatov to Forbes. "This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes."

Such a hack would affect more than bitcoin users, or those with two-step verification. An SS7 hack could also let an attacker listen in on calls, peruse through all of a phone's sent SMS texts, track the location of the phone.

Positive Technologies hackers were able to gain to the SS7 network "for research purposes," while hackers would have to, presumably, hack or bribe their way in. A service that claimed to give someone access to SS7 networks for $500 was recently deemed a scam. These threats have been around for a decade. SS7 vulnerabilities were first detected in 2008 by German SR Labs and demonstrations of these vulnerabilities have been going on since 2014. Congressman Ted Lieu and Senator Ron Wyden have both called for upgrades in SS7 security.

Advertisement - Continue Reading Below

Given the current outbreak of hacking worldwide, most of it related to outdated systems liked SS7, it makes more sense than ever to look towards more secure means of texting like Signal or Facebook's WhatsApp for communication. And if you use two-step verification, use an authentication app instead of text message if at all possible.